VPN Cisco Client

usuario0001 · ‎07-07-2009

Hi,

I've configured two IPsec VPN, one site to site VPN between two routers cisco 2811 and the other between one of the routers and a VPN Cisco Client.

But, I have one problem. If I add the command for the VPN Cisco Client:

crypto map IPSEC_VPN client authentication list userauthen

the other vpn is never up, and if I remove it I don't know the security implications, because I can connectonly with the VPN client user and password, but without router user and password.

Could anybody tell me the better way to configure this two VPN?

This is the current configuration:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key mykey address xxx.xxx.xxx.xxx

!

crypto isakmp client configuration group 1client

key 123

pool ippool

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map IPSEC_VPN client authentication list userauthen

crypto map IPSEC_VPN isakmp authorization list groupauthor

crypto map IPSEC_VPN client configuration address respond

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 103

crypto map IPSEC_VPN 10 ipsec-isakmp dynamic dynmap

!

interface Tunnel1

ip address 10.1.1.14 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination xxx.xxx.xxx.xxx

crypto map IPSEC_VPN

!

interface FastEthernet0/0

description Interface WAN

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map IPSEC_VPN

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

load-interval 30

!

ip local pool ippool 192.168.2.100 192.168.2.110

!

...

Thanks and regards

Todd Pula · ‎07-07-2009

You will want to modify the client config to utilize an ISAKMP profile. This will allow you to associate the authentication and authorization commands with the dynamic map as opposed to the crypto map. Please see the attached sample config.

usuario0001 · ‎07-09-2009

Thanks for your help.

I'm modifying the config but I have a doubt, if my LAN is 192.168.2.0, how do I configure the access-list 150?

access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

And also, I had these two ACL and I don't know if are needed now:

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

Thanks and regards

Todd Pula · ‎07-09-2009

Can you attach your current config so I can review as I don't see where ACL 150 or 102 are applied in the partial config above.